ipsec: use monotonic clock for SA creation/lookup timestamp
So the comparison is always meaningful. These are never copied out of the kernel so we can change the timestamp clock without issue. ok? Index: netinet/ip_ipsp.c === RCS file: /cvs/src/sys/netinet/ip_ipsp.c,v retrieving revision 1.232 diff -u -p -r1.232 ip_ipsp.c --- netinet/ip_ipsp.c 28 Aug 2018 15:15:02 - 1.232 +++ netinet/ip_ipsp.c 22 Oct 2018 01:38:57 - @@ -711,7 +711,7 @@ puttdb(struct tdb *tdbp) if ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_TUNNELING)) == TDBF_TUNNELING) ipsecstat_inc(ipsec_tunnels); - ipsec_last_added = time_second; + ipsec_last_added = time_uptime; } void Index: netinet/ip_spd.c === RCS file: /cvs/src/sys/netinet/ip_spd.c,v retrieving revision 1.98 diff -u -p -r1.98 ip_spd.c --- netinet/ip_spd.c25 Jun 2018 11:11:41 - 1.98 +++ netinet/ip_spd.c22 Oct 2018 01:38:57 - @@ -437,7 +437,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, if (ipo->ipo_last_searched <= ipsec_last_added) { /* "Touch" the entry. */ if (dignore == 0) - ipo->ipo_last_searched = time_second; + ipo->ipo_last_searched = time_uptime; /* Find an appropriate SA from the existing ones. */ ipo->ipo_tdb = @@ -541,7 +541,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, /* Find whether there exists an appropriate SA. */ if (ipo->ipo_last_searched <= ipsec_last_added) { if (dignore == 0) - ipo->ipo_last_searched = time_second; + ipo->ipo_last_searched = time_uptime; ipo->ipo_tdb = gettdbbysrc(rdomain,
Re: rcctl, tiny typo in comment
On Sun, Oct 21, 2018 at 01:37:51PM +0200, Hiltjo Posthuma wrote: > Hi, > > Below a patch for a very small typo in a comment in /usr/sbin/rcctl > > > diff --git a/usr.sbin/rcctl/rcctl.sh b/usr.sbin/rcctl/rcctl.sh > index 61ad76a4987..3b2f0cabe49 100644 > --- a/usr.sbin/rcctl/rcctl.sh > +++ b/usr.sbin/rcctl/rcctl.sh > @@ -263,7 +263,7 @@ svc_get() > fi > > if ! svc_is_meta ${_svc}; then > - # these are expensive, make sure they are explicitely > requested > + # these are expensive, make sure they are explicitly > requested > if [ -z "${_var}" -o "${_var}" = "class" ]; then > getcap -f /etc/login.conf ${_svc} 1>/dev/null > 2>&1 && \ > daemon_class=${_svc} Committed, thanks! -- Antoine
Use EFI memory map on armv7
Like we do on arm64. Hopefully this decreases the chance that the kernel attempts to use memory that isn't actually available. At least it prevents the kernel from using the framebuffer set up by u-boot as normal memory on the cubox-i. The necessary bootloader support has been in the tree for ages. ok? Index: arch/armv7/armv7/armv7_machdep.c === RCS file: /cvs/src/sys/arch/armv7/armv7/armv7_machdep.c,v retrieving revision 1.55 diff -u -p -r1.55 armv7_machdep.c --- arch/armv7/armv7/armv7_machdep.c6 Aug 2018 18:39:13 - 1.55 +++ arch/armv7/armv7/armv7_machdep.c21 Oct 2018 20:43:28 - @@ -125,6 +125,7 @@ #include #include #include +#include #include @@ -152,12 +153,8 @@ char *boot_file = ""; uint8_t *bootmac = NULL; u_int cpu_reset_address = 0; -vaddr_t physical_start; vaddr_t physical_freestart; -vaddr_t physical_freeend; -vaddr_t physical_end; -u_int free_pages; -int physmem = 0; +int physmem; /*int debug_flags;*/ #ifndef PMAP_STATIC_L1S @@ -348,6 +345,13 @@ copy_io_area_map(pd_entry_t *new_pd) } } +uint64_t mmap_start; +uint32_t mmap_size; +uint32_t mmap_desc_size; +uint32_t mmap_desc_ver; + +EFI_MEMORY_DESCRIPTOR *mmap; + /* * u_int initarm(...) * @@ -363,14 +367,12 @@ copy_io_area_map(pd_entry_t *new_pd) u_int initarm(void *arg0, void *arg1, void *arg2, paddr_t loadaddr) { - int loop, loop1, i, physsegs = VM_PHYSSEG_MAX; + int loop, loop1; u_int l1pagetable; pv_addr_t kernel_l1pt; - pv_addr_t fdt; + pv_addr_t fdt, map; struct fdt_reg reg; - paddr_t memstart; - psize_t memsize; - paddr_t memend; + paddr_t memstart, memend; void *config; size_t size; void *node; @@ -442,16 +444,24 @@ initarm(void *arg0, void *arg1, void *ar memcpy(lladdr, prop, sizeof(lladdr)); bootmac = lladdr; } + + len = fdt_node_property(node, "openbsd,uefi-mmap-start", ); + if (len == sizeof(mmap_start)) + mmap_start = bemtoh64((uint64_t *)prop); + len = fdt_node_property(node, "openbsd,uefi-mmap-size", ); + if (len == sizeof(mmap_size)) + mmap_size = bemtoh32((uint32_t *)prop); + len = fdt_node_property(node, "openbsd,uefi-mmap-desc-size", ); + if (len == sizeof(mmap_desc_size)) + mmap_desc_size = bemtoh32((uint32_t *)prop); + len = fdt_node_property(node, "openbsd,uefi-mmap-desc-ver", ); + if (len == sizeof(mmap_desc_ver)) + mmap_desc_ver = bemtoh32((uint32_t *)prop); } - node = fdt_find_node("/memory"); - if (node == NULL || fdt_get_reg(node, 0, )) - panic("initarm: no memory specificed"); - - memstart = reg.addr; - memsize = reg.size; - physical_start = reg.addr; - physical_end = MIN(reg.addr + reg.size, (paddr_t)-PAGE_SIZE); + if (mmap_start != 0) + bootstrap_bs_map(NULL, mmap_start, mmap_size, 0, + (bus_space_handle_t *)); platform_init(); @@ -468,15 +478,10 @@ initarm(void *arg0, void *arg1, void *ar #endif /* RAMDISK_HOOKS */ physical_freestart = (((unsigned long)esym - KERNEL_TEXT_BASE + 0xfff) & ~0xfff) + loadaddr; - physical_freeend = MIN((uint64_t)physical_end, (paddr_t)-PAGE_SIZE); - physmem = (physical_end - physical_start) / PAGE_SIZE; - -#ifdef DEBUG - /* Tell the user about the memory */ - printf("physmemory: %d pages at 0x%08lx -> 0x%08lx\n", physmem, - physical_start, physical_end - 1); -#endif + /* The bootloader has loaded us ubto a 32MB block. */ + memstart = loadaddr; + memend = memstart + 32 * 1024 * 1024; /* * Okay, the kernel starts 2MB in from the bottom of physical @@ -500,13 +505,6 @@ initarm(void *arg0, void *arg1, void *ar printf("Allocating page tables\n"); #endif - free_pages = (physical_freeend - physical_freestart) / PAGE_SIZE; - -#ifdef VERBOSE_INIT_ARM - printf("freestart = 0x%08lx, free_pages = %d (0x%08x)\n", - physical_freestart, free_pages, free_pages); -#endif - /* Define a macro to simplify memory allocation */ #definevalloc_pages(var, np) \ alloc_pages((var).pv_pa, (np)); \ @@ -515,9 +513,8 @@ initarm(void *arg0, void *arg1, void *ar #define alloc_pages(var, np) \ (var) = physical_freestart; \ physical_freestart += ((np) * PAGE_SIZE); \ - if (physical_freeend < physical_freestart) \ + if (physical_freestart > memend)\ panic("initarm: out of memory");\ - free_pages -= (np);
Re: relayd: sync host*() with ntpd
Denis Fondras(de...@openbsd.org) on 2018.10.20 18:12:18 +0200: > On Sat, Oct 20, 2018 at 05:30:59PM +0200, Klemens Nanni wrote: > > On Sat, Oct 20, 2018 at 11:57:13AM +0200, Denis Fondras wrote: > > > Sync changes to host_*() from ntpd to relayd. > > This looks good, however I'm not a relayd user. > > How did you test it? With both IPv4 and IPv6? > > > > I tested both on my machine, that's not extensive test though (using listen > and > forward in both IPv4 & IPv6 and checking if backend is reachable). > > Also regress is IPv4 only. > > > Some nits inline to squash inconsistencies with other `host_ip()' users > > in base. > > > > Thank you, new diff below. ok. > Index: parse.y > === > RCS file: /cvs/src/usr.sbin/relayd/parse.y,v > retrieving revision 1.228 > diff -u -p -r1.228 parse.y > --- parse.y 7 Sep 2018 07:35:31 - 1.228 > +++ parse.y 20 Oct 2018 16:07:19 - > @@ -123,8 +123,7 @@ static enum direction dir = RELAY_DIR_A > static char *rulefile = NULL; > static union hashkey *hashkey = NULL; > > -struct address *host_v4(const char *); > -struct address *host_v6(const char *); > +struct address *host_ip(const char *); > int host_dns(const char *, struct addresslist *, > int, struct portrange *, const char *, int); > int host_if(const char *, struct addresslist *, > @@ -2929,49 +2928,22 @@ symget(const char *nam) > } > > struct address * > -host_v4(const char *s) > +host_ip(const char *s) > { > - struct in_addr ina; > - struct sockaddr_in *sain; > - struct address *h; > - > - bzero(, sizeof(ina)); > - if (inet_pton(AF_INET, s, ) != 1) > - return (NULL); > - > - if ((h = calloc(1, sizeof(*h))) == NULL) > - fatal(__func__); > - sain = (struct sockaddr_in *)>ss; > - sain->sin_len = sizeof(struct sockaddr_in); > - sain->sin_family = AF_INET; > - sain->sin_addr.s_addr = ina.s_addr; > - > - return (h); > -} > - > -struct address * > -host_v6(const char *s) > -{ > - struct addrinfo hints, *res; > - struct sockaddr_in6 *sa_in6; > - struct address *h = NULL; > + struct addrinfo hints, *res; > + struct address *h = NULL; > > - bzero(, sizeof(hints)); > - hints.ai_family = AF_INET6; > - hints.ai_socktype = SOCK_DGRAM; /* dummy */ > + memset(, 0, sizeof(hints)); > + hints.ai_family = AF_UNSPEC; > + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ > hints.ai_flags = AI_NUMERICHOST; > if (getaddrinfo(s, "0", , ) == 0) { > - if ((h = calloc(1, sizeof(*h))) == NULL) > - fatal(__func__); > - sa_in6 = (struct sockaddr_in6 *)>ss; > - sa_in6->sin6_len = sizeof(struct sockaddr_in6); > - sa_in6->sin6_family = AF_INET6; > - memcpy(_in6->sin6_addr, > - &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, > - sizeof(sa_in6->sin6_addr)); > - sa_in6->sin6_scope_id = > - ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id; > - > + if (res->ai_family == AF_INET || > + res->ai_family == AF_INET6) { > + if ((h = calloc(1, sizeof(*h))) == NULL) > + fatal(NULL); > + memcpy(>ss, res->ai_addr, res->ai_addrlen); > + } > freeaddrinfo(res); > } > > @@ -2984,15 +2956,13 @@ host_dns(const char *s, struct addressli > { > struct addrinfo hints, *res0, *res; > int error, cnt = 0; > - struct sockaddr_in *sain; > - struct sockaddr_in6 *sin6; > struct address *h; > > if ((cnt = host_if(s, al, max, port, ifname, ipproto)) != 0) > return (cnt); > > bzero(, sizeof(hints)); > - hints.ai_family = PF_UNSPEC; > + hints.ai_family = AF_UNSPEC; > hints.ai_socktype = SOCK_DGRAM; /* DUMMY */ > hints.ai_flags = AI_ADDRCONFIG; > error = getaddrinfo(s, NULL, , ); > @@ -3024,19 +2994,8 @@ host_dns(const char *s, struct addressli > } > if (ipproto != -1) > h->ipproto = ipproto; > - h->ss.ss_family = res->ai_family; > > - if (res->ai_family == AF_INET) { > - sain = (struct sockaddr_in *)>ss; > - sain->sin_len = sizeof(struct sockaddr_in); > - sain->sin_addr.s_addr = ((struct sockaddr_in *) > - res->ai_addr)->sin_addr.s_addr; > - } else { > - sin6 = (struct sockaddr_in6 *)>ss; > - sin6->sin6_len = sizeof(struct sockaddr_in6); > - memcpy(>sin6_addr, &((struct sockaddr_in6
Re: relayd: sync host*() with ntpd
OK kn
Re: Remove VFSLCKDEBUG + ASSERT_VP_ISLOCKED (dead code in VFS)
> > After reading VOP_LOOKUP.9 based on recent commit, a try to remove some > > dead code in VFS. > > https://marc.info/?l=openbsd-cvs=153886730207657=2 > > > > VFSLCKDEBUG is not defined anywhere. It is misleading to read in > > sys/kern/vfs_vops.c that ASSERT_VP_ISLOCKED(dvp) is being checked, when in > > fact, it is just dead code. > > But you can build the kernel with -DVFSLCKDEBUG=1 to enable the debug code. Aargh, you are right, silly me. I didn't grep it in GENERIC before sending this out. I compiled GENERIC with VFSLCKDEBUG on, and the kernel is running fine. So those checks are useful. Forget about this diff! Thanks
httpd: sync host*() with ntpd
(resend with more infos by request from kn@) Sync changes to host_*() from ntpd to httpd. The diff was tested on amd64 and octeon with : - regress - curl to fetch a webpage and "listen on :: port 34125" - curl to fetch a webpage and "listen on 2001:db8::1 port 34126" - curl to fetch a webpage and "listen on 192.168.70.1 port 34127" - curl to fetch a webpage and "listen on 127.0.0.1 port 34128" - upgrade of a bgplg server ("listen on cnmac0 port 80" with v6 and v4, my only production httpd) All pass. Index: parse.y === RCS file: /cvs/src/usr.sbin/httpd/parse.y,v retrieving revision 1.106 diff -u -p -r1.106 parse.y --- parse.y 7 Sep 2018 07:35:30 - 1.106 +++ parse.y 21 Oct 2018 11:43:42 - @@ -103,8 +103,7 @@ static struct server_config *srv_conf = struct serverlist servers; struct media_type media; -struct address *host_v4(const char *); -struct address *host_v6(const char *); +struct address *host_ip(const char *); int host_dns(const char *, struct addresslist *, int, struct portrange *, const char *, int); int host_if(const char *, struct addresslist *, @@ -1846,60 +1845,25 @@ symget(const char *nam) } struct address * -host_v4(const char *s) -{ - struct in_addr ina; - struct sockaddr_in *sain; - struct address *h; - - memset(, 0, sizeof(ina)); - if (inet_pton(AF_INET, s, ) != 1) - return (NULL); - - if ((h = calloc(1, sizeof(*h))) == NULL) - fatal(__func__); - sain = (struct sockaddr_in *)>ss; - sain->sin_len = sizeof(struct sockaddr_in); - sain->sin_family = AF_INET; - sain->sin_addr.s_addr = ina.s_addr; - if (sain->sin_addr.s_addr == INADDR_ANY) - h->prefixlen = 0; /* 0.0.0.0 address */ - else - h->prefixlen = -1; /* host address */ - return (h); -} - -struct address * -host_v6(const char *s) +host_ip(const char *s) { struct addrinfo hints, *res; - struct sockaddr_in6 *sa_in6; struct address *h = NULL; memset(, 0, sizeof(hints)); - hints.ai_family = AF_INET6; - hints.ai_socktype = SOCK_DGRAM; /* dummy */ + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ hints.ai_flags = AI_NUMERICHOST; if (getaddrinfo(s, "0", , ) == 0) { - if ((h = calloc(1, sizeof(*h))) == NULL) - fatal(__func__); - sa_in6 = (struct sockaddr_in6 *)>ss; - sa_in6->sin6_len = sizeof(struct sockaddr_in6); - sa_in6->sin6_family = AF_INET6; - memcpy(_in6->sin6_addr, - &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, - sizeof(sa_in6->sin6_addr)); - sa_in6->sin6_scope_id = - ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id; - if (memcmp(_in6->sin6_addr, _any, - sizeof(sa_in6->sin6_addr)) == 0) - h->prefixlen = 0; /* any address */ - else - h->prefixlen = -1; /* host address */ + if (res->ai_family == AF_INET || + res->ai_family == AF_INET6) { + if ((h = calloc(1, sizeof(*h))) == NULL) + fatal(NULL); + memcpy(>ss, res->ai_addr, res->ai_addrlen); + } freeaddrinfo(res); } - - return (h); + return (h); } int @@ -1908,15 +1872,13 @@ host_dns(const char *s, struct addressli { struct addrinfo hints, *res0, *res; int error, cnt = 0; - struct sockaddr_in *sain; - struct sockaddr_in6 *sin6; struct address *h; if ((cnt = host_if(s, al, max, port, ifname, ipproto)) != 0) return (cnt); memset(, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; + hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_DGRAM; /* DUMMY */ hints.ai_flags = AI_ADDRCONFIG; error = getaddrinfo(s, NULL, , ); @@ -1951,17 +1913,7 @@ host_dns(const char *s, struct addressli h->ss.ss_family = res->ai_family; h->prefixlen = -1; /* host address */ - if (res->ai_family == AF_INET) { - sain = (struct sockaddr_in *)>ss; - sain->sin_len = sizeof(struct sockaddr_in); - sain->sin_addr.s_addr = ((struct sockaddr_in *) - res->ai_addr)->sin_addr.s_addr; - } else { - sin6 = (struct sockaddr_in6 *)>ss; - sin6->sin6_len = sizeof(struct sockaddr_in6); - memcpy(>sin6_addr, &((struct
httpd: sync host*() with ntpd
Sync changes to host_*() from ntpd to httpd. Index: parse.y === RCS file: /cvs/src/usr.sbin/httpd/parse.y,v retrieving revision 1.106 diff -u -p -r1.106 parse.y --- parse.y 7 Sep 2018 07:35:30 - 1.106 +++ parse.y 21 Oct 2018 11:43:42 - @@ -103,8 +103,7 @@ static struct server_config *srv_conf = struct serverlist servers; struct media_type media; -struct address *host_v4(const char *); -struct address *host_v6(const char *); +struct address *host_ip(const char *); int host_dns(const char *, struct addresslist *, int, struct portrange *, const char *, int); int host_if(const char *, struct addresslist *, @@ -1846,60 +1845,25 @@ symget(const char *nam) } struct address * -host_v4(const char *s) -{ - struct in_addr ina; - struct sockaddr_in *sain; - struct address *h; - - memset(, 0, sizeof(ina)); - if (inet_pton(AF_INET, s, ) != 1) - return (NULL); - - if ((h = calloc(1, sizeof(*h))) == NULL) - fatal(__func__); - sain = (struct sockaddr_in *)>ss; - sain->sin_len = sizeof(struct sockaddr_in); - sain->sin_family = AF_INET; - sain->sin_addr.s_addr = ina.s_addr; - if (sain->sin_addr.s_addr == INADDR_ANY) - h->prefixlen = 0; /* 0.0.0.0 address */ - else - h->prefixlen = -1; /* host address */ - return (h); -} - -struct address * -host_v6(const char *s) +host_ip(const char *s) { struct addrinfo hints, *res; - struct sockaddr_in6 *sa_in6; struct address *h = NULL; memset(, 0, sizeof(hints)); - hints.ai_family = AF_INET6; - hints.ai_socktype = SOCK_DGRAM; /* dummy */ + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ hints.ai_flags = AI_NUMERICHOST; if (getaddrinfo(s, "0", , ) == 0) { - if ((h = calloc(1, sizeof(*h))) == NULL) - fatal(__func__); - sa_in6 = (struct sockaddr_in6 *)>ss; - sa_in6->sin6_len = sizeof(struct sockaddr_in6); - sa_in6->sin6_family = AF_INET6; - memcpy(_in6->sin6_addr, - &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, - sizeof(sa_in6->sin6_addr)); - sa_in6->sin6_scope_id = - ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id; - if (memcmp(_in6->sin6_addr, _any, - sizeof(sa_in6->sin6_addr)) == 0) - h->prefixlen = 0; /* any address */ - else - h->prefixlen = -1; /* host address */ + if (res->ai_family == AF_INET || + res->ai_family == AF_INET6) { + if ((h = calloc(1, sizeof(*h))) == NULL) + fatal(NULL); + memcpy(>ss, res->ai_addr, res->ai_addrlen); + } freeaddrinfo(res); } - - return (h); + return (h); } int @@ -1908,15 +1872,13 @@ host_dns(const char *s, struct addressli { struct addrinfo hints, *res0, *res; int error, cnt = 0; - struct sockaddr_in *sain; - struct sockaddr_in6 *sin6; struct address *h; if ((cnt = host_if(s, al, max, port, ifname, ipproto)) != 0) return (cnt); memset(, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; + hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_DGRAM; /* DUMMY */ hints.ai_flags = AI_ADDRCONFIG; error = getaddrinfo(s, NULL, , ); @@ -1951,17 +1913,7 @@ host_dns(const char *s, struct addressli h->ss.ss_family = res->ai_family; h->prefixlen = -1; /* host address */ - if (res->ai_family == AF_INET) { - sain = (struct sockaddr_in *)>ss; - sain->sin_len = sizeof(struct sockaddr_in); - sain->sin_addr.s_addr = ((struct sockaddr_in *) - res->ai_addr)->sin_addr.s_addr; - } else { - sin6 = (struct sockaddr_in6 *)>ss; - sin6->sin6_len = sizeof(struct sockaddr_in6); - memcpy(>sin6_addr, &((struct sockaddr_in6 *) - res->ai_addr)->sin6_addr, sizeof(struct in6_addr)); - } + memcpy(>ss, res->ai_addr, res->ai_addrlen); TAILQ_INSERT_HEAD(al, h, entry); cnt++; @@ -2049,34 +2001,49 @@ int host(const char *s, struct addresslist *al, int max, struct portrange *port, const char *ifname, int ipproto) { - struct address *h; + struct address *h; + struct
Re: Remove VFSLCKDEBUG + ASSERT_VP_ISLOCKED (dead code in VFS)
Amit Kulkarni(amit.o...@gmail.com) on 2018.10.20 23:54:34 -0500: > Hi, > > After reading VOP_LOOKUP.9 based on recent commit, a try to remove some dead > code in VFS. > https://marc.info/?l=openbsd-cvs=153886730207657=2 > > VFSLCKDEBUG is not defined anywhere. It is misleading to read in > sys/kern/vfs_vops.c that ASSERT_VP_ISLOCKED(dvp) is being checked, when in > fact, it is just dead code. But you can build the kernel with -DVFSLCKDEBUG=1 to enable the debug code.
sshd - also log account trying a revoked key
When a revoked key is used in an authentication attempt, only the key information is currently logged: Oct 21 18:07:00 server sshd[79743]: error: Authentication key RSA SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file /etc/ssh/ssh_revoked_keys Oct 21 18:07:06 server sshd[79743]: Connection closed by authenticating user foo 198.51.100.95 port 55634 [preauth] That requires a litte bit of AWK or Perl hackery to identify which account it was used against. It may also be that theoretically the log file could roll over at just the instant between writing the line about the key and writing the second line about the closed connection, making identification difficult. It would be of help in both cases to identify the account in question at the same time that the offending revoked key is identified in the log: Oct 21 18:14:14 server sshd[73078]: error: User foo authentication key RSA SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file /etc/ssh/ssh_revoked_keys Oct 21 18:14:28 server sshd[73078]: Connection closed by authenticating user foo 198.51.100.95 port 55644 [preauth] So I would suggest consideration of something like the changes below. (Warning for cargo-culted code) /Lars Index: usr.bin/ssh//auth.c === RCS file: /cvs/src/usr.bin/ssh/auth.c,v retrieving revision 1.133 diff -u -p -u -r1.133 auth.c --- usr.bin/ssh//auth.c 12 Sep 2018 01:19:12 - 1.133 +++ usr.bin/ssh//auth.c 21 Oct 2018 15:27:04 - @@ -507,7 +507,7 @@ getpwnamallow(const char *user) /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ int -auth_key_is_revoked(struct sshkey *key) +auth_key_is_revoked(struct passwd *pw, struct sshkey *key) { char *fp = NULL; int r; @@ -526,8 +526,9 @@ auth_key_is_revoked(struct sshkey *key) case 0: break; /* not revoked */ case SSH_ERR_KEY_REVOKED: - error("Authentication key %s %s revoked by file %s", - sshkey_type(key), fp, options.revoked_keys_file); + error("User %s authentication key %s %s revoked by file %s", + pw->pw_name, sshkey_type(key), fp, + options.revoked_keys_file); goto out; default: error("Error checking authentication key %s %s in " Index: usr.bin/ssh//auth.h === RCS file: /cvs/src/usr.bin/ssh/auth.h,v retrieving revision 1.96 diff -u -p -u -r1.96 auth.h --- usr.bin/ssh//auth.h 10 Apr 2018 00:10:49 - 1.96 +++ usr.bin/ssh//auth.h 21 Oct 2018 15:27:04 - @@ -175,7 +175,7 @@ char*authorized_principals_file(struct FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); -int auth_key_is_revoked(struct sshkey *); +int auth_key_is_revoked(struct passwd *, struct sshkey *); const char *auth_get_canonical_hostname(struct ssh *, int); Index: usr.bin/ssh//auth2-hostbased.c === RCS file: /cvs/src/usr.bin/ssh/auth2-hostbased.c,v retrieving revision 1.38 diff -u -p -u -r1.38 auth2-hostbased.c --- usr.bin/ssh//auth2-hostbased.c 20 Sep 2018 03:28:06 - 1.38 +++ usr.bin/ssh//auth2-hostbased.c 21 Oct 2018 15:27:04 - @@ -175,7 +175,7 @@ hostbased_key_allowed(struct passwd *pw, int len; char *fp; - if (auth_key_is_revoked(key)) + if (auth_key_is_revoked(pw, key)) return 0; resolvedname = auth_get_canonical_hostname(ssh, options.use_dns); Index: usr.bin/ssh//auth2-pubkey.c === RCS file: /cvs/src/usr.bin/ssh/auth2-pubkey.c,v retrieving revision 1.86 diff -u -p -u -r1.86 auth2-pubkey.c --- usr.bin/ssh//auth2-pubkey.c 20 Sep 2018 03:28:06 - 1.86 +++ usr.bin/ssh//auth2-pubkey.c 21 Oct 2018 15:27:04 - @@ -1001,10 +1001,10 @@ user_key_allowed(struct ssh *ssh, struct if (authoptsp != NULL) *authoptsp = NULL; - if (auth_key_is_revoked(key)) + if (auth_key_is_revoked(pw, key)) return 0; if (sshkey_is_cert(key) && - auth_key_is_revoked(key->cert->signature_key)) + auth_key_is_revoked(pw, key->cert->signature_key)) return 0; if ((success = user_cert_trusted_ca(ssh, pw, key, )) != 0)
rcctl, tiny typo in comment
Hi, Below a patch for a very small typo in a comment in /usr/sbin/rcctl diff --git a/usr.sbin/rcctl/rcctl.sh b/usr.sbin/rcctl/rcctl.sh index 61ad76a4987..3b2f0cabe49 100644 --- a/usr.sbin/rcctl/rcctl.sh +++ b/usr.sbin/rcctl/rcctl.sh @@ -263,7 +263,7 @@ svc_get() fi if ! svc_is_meta ${_svc}; then - # these are expensive, make sure they are explicitely requested + # these are expensive, make sure they are explicitly requested if [ -z "${_var}" -o "${_var}" = "class" ]; then getcap -f /etc/login.conf ${_svc} 1>/dev/null 2>&1 && \ daemon_class=${_svc} -- Kind regards, Hiltjo
Re: bgpd refactor rib dumping
On Thu, Oct 18, 2018 at 02:29:17PM +0200, Claudio Jeker wrote: > Change the way ribs are porcessed. Currently all async dumpers have to > call rib_dump_r() whenever progress should be made. Also creating the > context for such a dump is all on the caller side. Change this to one > central place. Now all that is needed is to call rib_dump_new() with > the callbacks for upcall, done and throttled. done and throttled are > optional. This should solve the problem of not progressing rib_dump > once and for all, also it removes the sync rib_dump() function which > is no longer used. > Thanks to denis@ this uncovered a bigger problem in the RDE. The RIB heads are currently stored in an array indexed by their id. Now if new RIBs are added this array may be reallocated. The problem is that the a pointer to that struct is stored in a few places (peer, rib entries, dump contexts) which is bad once such are realloc happens. I extended this diff now to solve this issue by storing the RIB ID instead of rib pointers in those structs. With this I no longer get the crashes by adding new ribs. -- :wq Claudio Index: mrt.c === RCS file: /cvs/src/usr.sbin/bgpd/mrt.c,v retrieving revision 1.86 diff -u -p -r1.86 mrt.c --- mrt.c 24 Jul 2018 10:10:58 - 1.86 +++ mrt.c 18 Oct 2018 11:03:36 - @@ -673,10 +673,8 @@ mrt_dump_upcall(struct rib_entry *re, vo } void -mrt_done(void *ptr) +mrt_done(struct mrt *mrtbuf) { - struct mrt *mrtbuf = ptr; - mrtbuf->state = MRT_STATE_REMOVE; } Index: rde.c === RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v retrieving revision 1.437 diff -u -p -r1.437 rde.c --- rde.c 18 Oct 2018 12:19:09 - 1.437 +++ rde.c 21 Oct 2018 11:43:20 - @@ -69,34 +69,18 @@ void rde_update_log(const char *, u_in voidrde_as4byte_fixup(struct rde_peer *, struct rde_aspath *); voidrde_reflector(struct rde_peer *, struct rde_aspath *); -voidrde_dump_rib_as(struct prefix *, struct rde_aspath *, pid_t, -int); -voidrde_dump_filter(struct prefix *, -struct ctl_show_rib_request *); -voidrde_dump_filterout(struct rde_peer *, struct prefix *, -struct ctl_show_rib_request *); -voidrde_dump_upcall(struct rib_entry *, void *); -voidrde_dump_prefix_upcall(struct rib_entry *, void *); voidrde_dump_ctx_new(struct ctl_show_rib_request *, pid_t, enum imsg_type); voidrde_dump_ctx_throttle(pid_t pid, int throttle); -voidrde_dump_runner(void); -int rde_dump_pending(void); -voidrde_dump_done(void *); voidrde_dump_mrt_new(struct mrt *, pid_t, int); -voidrde_dump_rib_free(struct rib *); -voidrde_dump_mrt_free(struct rib *); -voidrde_rib_free(struct rib_desc *); int rde_rdomain_import(struct rde_aspath *, struct rdomain *); voidrde_reload_done(void); -static void rde_reload_runner(void); -static void rde_softreconfig_in_done(void *); -static void rde_softreconfig_out_done(void *); +static void rde_softreconfig_in_done(void *, u_int8_t); +static void rde_softreconfig_out_done(void *, u_int8_t); static void rde_softreconfig_done(void); static void rde_softreconfig_out(struct rib_entry *, void *); static void rde_softreconfig_in(struct rib_entry *, void *); -voidrde_up_dump_upcall(struct rib_entry *, void *); voidrde_update_queue_runner(void); voidrde_update6_queue_runner(u_int8_t); struct rde_prefixset *rde_find_prefixset(char *, struct rde_prefixset_head *); @@ -146,7 +130,6 @@ int softreconfig; struct rde_dump_ctx { LIST_ENTRY(rde_dump_ctx)entry; - struct rib_context ribctx; struct ctl_show_rib_request req; sa_family_t af; u_int8_tthrottled; @@ -156,7 +139,6 @@ LIST_HEAD(, rde_dump_ctx) rde_dump_h = L struct rde_mrt_ctx { LIST_ENTRY(rde_mrt_ctx) entry; - struct rib_context ribctx; struct mrt mrt; }; @@ -272,20 +254,13 @@ rde_main(int debug, int verbose) set_pollfd([PFD_PIPE_SESSION], ibuf_se); set_pollfd([PFD_PIPE_SESSION_CTL], ibuf_se_ctl); - if (rde_dump_pending() && - ibuf_se_ctl && ibuf_se_ctl->w.queued == 0) - timeout = 0; - if (softreconfig) + if (rib_dump_pending()) timeout = 0; i = PFD_PIPE_COUNT; for (mctx = LIST_FIRST(_mrts); mctx != 0; mctx = xmctx) { xmctx = LIST_NEXT(mctx,
Re: tcpdump: remove #ifdef INET6
On Sat, Sep 29, 2018 at 10:26:45PM +0200, Klemens Nanni wrote: > The build is broken with `-U INET6' anyway and I see no reason to > disable IPv6 support. > > Removing these macro guards leaves NSD and Unbound as last remaining > programs in base to have them. > > This diff also fixes an empty redefine for IPPROTO_IPV6 in print-ip.c. > > No object change on amd64 and sparc64 when built with clang. > Using gcc results in changes on both platforms, but I'm still unsure how > to handle this. Testing gcc builds on my machines did not reveal any > breakage or change in behaviour. > > Feedback? Objections? OK? > Tested on amd64 and octeon, no regress found. OK denis@ > Index: Makefile > === > RCS file: /cvs/src/usr.sbin/tcpdump/Makefile,v > retrieving revision 1.63 > diff -u -p -r1.63 Makefile > --- Makefile 3 Feb 2018 13:39:48 - 1.63 > +++ Makefile 29 Sep 2018 19:15:37 - > @@ -28,7 +28,7 @@ CFLAGS+=-Wall -I${.CURDIR}/../../sbin/pf > # for pcap-int.h > CFLAGS+=-I${.CURDIR}/../../lib/libpcap > > -CFLAGS+=-DCSLIP -DPPP -DHAVE_FDDI -DETHER_SERVICE -DHAVE_ETHER_NTOHOST > -DINET6 > +CFLAGS+=-DCSLIP -DPPP -DHAVE_FDDI -DETHER_SERVICE -DHAVE_ETHER_NTOHOST > > LDADD+= -lpcap -ll -lcrypto > DPADD+= ${LIBL} ${LIBPCAP} ${LIBCRYPTO} > Index: addrtoname.c > === > RCS file: /cvs/src/usr.sbin/tcpdump/addrtoname.c,v > retrieving revision 1.37 > diff -u -p -r1.37 addrtoname.c > --- addrtoname.c 14 Dec 2016 19:12:16 - 1.37 > +++ addrtoname.c 29 Sep 2018 18:56:46 - > @@ -34,10 +34,7 @@ struct rtentry; > > #include > #include > - > -#ifdef INET6 > #include > -#endif > > #include > > @@ -78,7 +75,6 @@ struct hnamemem eprototable[HASHNAMESIZE > struct hnamemem dnaddrtable[HASHNAMESIZE]; > struct hnamemem llcsaptable[HASHNAMESIZE]; > > -#ifdef INET6 > struct h6namemem { > struct in6_addr addr; > char *name; > @@ -86,7 +82,6 @@ struct h6namemem { > }; > > struct h6namemem h6nametable[HASHNAMESIZE]; > -#endif /* INET6 */ > > struct enamemem { > u_short e_addr0; > @@ -234,7 +229,6 @@ getname(const u_char *ap) > return (p->name); > } > > -#ifdef INET6 > /* > * Return a name for the IP6 address pointed to by ap. This address > * is assumed to be in network byte order. > @@ -293,7 +287,6 @@ getname6(const u_char *ap) > p->name = savestr(cp); > return (p->name); > } > -#endif /* INET6 */ > > static char hex[] = "0123456789abcdef"; > > @@ -902,7 +895,6 @@ newhnamemem(void) > return (p); > } > > -#ifdef INET6 > /* Return a zero'ed h6namemem struct and cuts down on calloc() overhead */ > struct h6namemem * > newh6namemem(void) > @@ -921,4 +913,3 @@ newh6namemem(void) > p = ptr++; > return (p); > } > -#endif /* INET6 */ > Index: addrtoname.h > === > RCS file: /cvs/src/usr.sbin/tcpdump/addrtoname.h,v > retrieving revision 1.11 > diff -u -p -r1.11 addrtoname.h > --- addrtoname.h 7 Oct 2007 16:41:05 - 1.11 > +++ addrtoname.h 29 Sep 2018 18:57:02 - > @@ -39,18 +39,12 @@ extern char *tcpport_string(u_short); > extern char *udpport_string(u_short); > extern char *ipproto_string(u_int); > extern char *getname(const u_char *); > -#ifdef INET6 > extern char *getname6(const u_char *); > -#endif > extern char *intoa(u_int32_t); > > extern void init_addrtoname(u_int32_t, u_int32_t); > extern struct hnamemem *newhnamemem(void); > -#ifdef INET6 > extern struct h6namemem *newh6namemem(void); > -#endif > > #define ipaddr_string(p) getname((const u_char *)(p)) > -#ifdef INET6 > #define ip6addr_string(p) getname6((const u_char *)(p)) > -#endif > Index: interface.h > === > RCS file: /cvs/src/usr.sbin/tcpdump/interface.h,v > retrieving revision 1.78 > diff -u -p -r1.78 interface.h > --- interface.h 6 Jul 2018 07:13:21 - 1.78 > +++ interface.h 29 Sep 2018 18:57:28 - > @@ -287,7 +287,6 @@ extern void ofp_if_print(u_char *, const > extern void usbpcap_if_print(u_char *, const struct pcap_pkthdr *, > const u_char *); > > -#ifdef INET6 > extern void ip6_print(const u_char *, u_int); > extern void ip6_opt_print(const u_char *, int); > extern int hbhopt_print(const u_char *); > @@ -298,7 +297,6 @@ extern void ripng_print(const u_char *, > extern int rt6_print(const u_char *, const u_char *); > extern void ospf6_print(const u_char *, u_int); > extern void dhcp6_print(const u_char *, u_int, u_short, u_short); > -#endif /*INET6*/ > > extern uint32_t in_cksum_add(const void *, size_t, uint32_t); > extern uint16_t in_cksum_fini(uint32_t); > Index: print-atm.c > === > RCS file: /cvs/src/usr.sbin/tcpdump/print-atm.c,v
Re: Debug / Driver / Kernel / WiFi
On Sun, Oct 21, 2018 at 08:25:02AM +0200, def...@posteo.de wrote: > Hi > > Any updates? I still want to do some testing at my end with ath hardware I have. So please just wait.
Re: Debug / Driver / Kernel / WiFi
Hi Any updates? Deface писал 18.10.2018 00:02: Hi all, The patch in attachment works fine for me and fixes the [ERROR: ATH0 UNABLE TO RESET HARDWARE] issue that I had on my FUJITSU SIEMENS ESPRIMO Mobile U9210. Patch is relative to -current. Please check. Many Thanks Stefan Sperling for Code Review and strong support with Copyright! Oleg Pahl (Munich) On 10/06/18 14:28, Stefan Sperling wrote: On Sat, Oct 06, 2018 at 01:32:55PM +0200, NN wrote: Hi all, Many thanks for your support and reply! I am not Profi (I have experience < 1year with OpenBSD and C Programming.), that why its will take me a lot of time to fix and try something. After Mr. Sperling first review of my Code ... I have made few fixes. In attachment you can see my new patch. Please, try it and send me your feedback. Its working for me. (*no more ERROR: ath0 unable to reset hardware*) Thank you! This is looking great. I see only two remaining problems: Please don't use C++-style // comments. The lines commented this way can just be removed. More importantly it looks like these changes are based on work done by Nick Kossifidis in Linux ath5k. I am quoting the relevant changes from the Linux git log below. So I doubt this is your original work. It is OK to copy this code into OpenBSD because it is licensed under ISC, the same licence used by our ath(4) driver which this Linux code was based on. But only under the condition that we give attribution to the original author. So please copy Nick's copyright line into our files as well. You can find it at the top of each file you've copied code from. And then we should be good to go. commit cc6323c7d8c231d83e592ff9f7acf2cac5e016f7 Author: Nick Kossifidis Date: Sun Jul 20 06:44:43 2008 +0300 ath5k: Update channel functions * Add channel function for RF2425 (got this from decompiling binary HAL, i have no idea why there is a 5GHz section but i'm looking into it) * Update RF5112 channel function (also got this from decompiling binary HAL) * Set JAPAN setting for channel 14 on all PHY chips Changes-licensed-under: ISC Signed-off-by: Nick Kossifidis Signed-off-by: John W. Linville diff --git a/drivers/net/wireless/ath5k/phy.c b/drivers/net/wireless/ath5k/phy.c index 66af70bd14e7..cbc362d20719 100644 --- a/drivers/net/wireless/ath5k/phy.c +++ b/drivers/net/wireless/ath5k/phy.c @@ -1898,9 +1898,6 @@ static int ath5k_hw_rf5112_channel(struct ath5k_hw *ah, data = data0 = data1 = data2 = 0; c = channel->center_freq; - /* - * Set the channel on the RF5112 or newer - */ if (c < 4800) { if (!((c - 2224) % 5)) { data0 = ((2 * (c - 704)) - 3040) / 10; @@ -1912,7 +1909,7 @@ static int ath5k_hw_rf5112_channel(struct ath5k_hw *ah, return -EINVAL; data0 = ath5k_hw_bitswap((data0 << 2) & 0xff, 8); - } else { + } else if ((c - (c % 5)) != 2 || c > 5435) { if (!(c % 20) && c >= 5120) { data0 = ath5k_hw_bitswap(((c - 4800) / 20 << 2), 8); data2 = ath5k_hw_bitswap(3, 2); @@ -1924,6 +1921,9 @@ static int ath5k_hw_rf5112_channel(struct ath5k_hw *ah, data2 = ath5k_hw_bitswap(1, 2); } else return -EINVAL; + } else { + data0 = ath5k_hw_bitswap((10 * (c - 2) - 4800) / 25 + 1, 8); + data2 = ath5k_hw_bitswap(0, 2); } data = (data0 << 4) | (data1 << 1) | (data2 << 2) | 0x1001; @@ -1934,6 +1934,45 @@ static int ath5k_hw_rf5112_channel(struct ath5k_hw *ah, return 0; } +/* + * Set the channel on the RF2425 + */ +static int ath5k_hw_rf2425_channel(struct ath5k_hw *ah, + struct ieee80211_channel *channel) +{ + u32 data, data0, data2; + u16 c; + + data = data0 = data2 = 0; + c = channel->center_freq; + + if (c < 4800) { + data0 = ath5k_hw_bitswap((c - 2272), 8); + data2 = 0; + /* ? 5GHz ? */ + } else if ((c - (c % 5)) != 2 || c > 5435) { + if (!(c % 20) && c < 5120) + data0 = ath5k_hw_bitswap(((c - 4800) / 20 << 2), 8); + else if (!(c % 10)) + data0 = ath5k_hw_bitswap(((c - 4800) / 10 << 1), 8); + else if (!(c % 5)) + data0 = ath5k_hw_bitswap((c - 4800) / 5, 8); + else + return -EINVAL; + data2 = ath5k_hw_bitswap(1, 2); + } else { + data0 = ath5k_hw_bitswap((10 * (c - 2) - 4800) / 25 + 1, 8); + data2 = ath5k_hw_bitswap(0, 2); + } + + data = (data0 << 4) | data2 << 2 | 0x1001; + + ath5k_hw_reg_write(ah, data & 0xff, AR5K_RF_BUFFER); + ath5k_hw_reg_write(ah, (data >> 8) & 0x7f, AR5K_RF_BUFFER_CONTROL_5); + + return 0; +} + /* * Set a channel on the radio chip */ @@ -1963,6 +2002,9 @@ int ath5k_hw_channel(struct ath5k_hw *ah, struct ieee80211_channel *channel) case AR5K_RF5111: ret = ath5k_hw_rf5111_channel(ah, channel); break; + case AR5K_RF2425: + ret = ath5k_hw_rf2425_channel(ah, channel); + break; default: ret = ath5k_hw_rf5112_channel(ah, channel); break; @@ -1971,6 +2013,15 @@ int ath5k_hw_channel(struct ath5k_hw *ah, struct ieee80211_channel *channel) if (ret) return ret; + /* Set JAPAN setting for channel 14 */ + if (channel->center_freq == 2484) { commit 1889ba0a48688b639c2b2e9e1b0fd8f84e2c37d1 Author: Nick Kossifidis Date: Thu Apr 30 15:55:46 2009 -0400 ath5k: Put remaining EEPROM data on ee